Privacy Advocates Vs. Legislators: House To Revisit CISPA This Week

Call it 'cybersecurity' week in our nation's capital, as Internet privacy advocates clash with legislators on the best way enact quality cybersecurity legislation.

The House Intelligence Committee plans to revisit the polarizing Cyber Intelligence Sharing and Protection Act (CISPA) this week, scheduling a "mark up" session today to revamp some of the bill's amendments. This could eventually lead to a floor vote sometime next week, according to reports.

In a conference call with reporters Monday, House Intelligence Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) reiterated their contention that a new CISPA bill would not give the government license to expose the sensitive information of private citizens.

"It's not a surveillance bill," Rogers said.

The primary aim of CISPA is to encourage corporate and public sector information sharing that could help defeat the latest cyber threats by eliminating the legal hurdles that currently deter this sort of exchange.

Privacy advocates took to the Reddit Monday to make their case against CISPA and what they think is its degenerative impact on Internet privacy. According to Rainey Reitman, activism director at the Electronic Frontier Foundation (EFF), initiating a real fix would require a focus on network security, something CISPA in its current incarnation doesn't address.

"Congress wants to appear as if it’s doing 'something' about Internet security. But the truth is that the proposals they’re suggesting don’t address most of the major network security issues. From social engineering to two-step authentication, from the broken CA system to encrypting the web, there are concrete and real issues around network security that can and should be addressed (though a lot of them aren’t legislative solutions)," he said. "Instead of grappling with these issues, Congress is trying to push an information 'sharing' bill that would undermine existing privacy laws."

The legislation has received a significant push from the quick expansion of cyber security lobbying, which has proliferated in the past year.

A total of 1,968 lobbying reports mentioned the word "cybersecurity" (or variations of the term) several times in 2012. That's up from just 990 reports in 2011,according to a report compiled by the Center for Responsive Politics for CNNMoney.

In an opinion piece issued yesterday via Reuters, Senator Lindsey Graham (R-S.C.), ranking member of the Subcommittee on Crime and Terrorism of the Senate Judiciary Committee and Senator Sheldon Whitehouse (D-R.I.), illustrate the bipartisan support that has made CISPA such a lightening rod during this Congressional session. They call for more disclosure of cyber threats, basic security standards for critical infrastructure, greater information sharing, increased legal recourse and additional cyber training initiatives.

They both call for privacy protection, but are vague on the particulars.

"In all this, we must safeguard the privacy of U.S. citizens. We can keep the United States secure without infringing dearly held liberties. Well-crafted legislation can achieve this, they wrote. "We must do this, because we never want to see a nightmare scenario become reality."

But as Mark Jaycox, policy analyst and legislative assistant at the EFF said during yesterday's Reddit discussion, the newest version of the bill (H.R. 624) still has some significant issues when it comes to the protection of sensitive information.

"Information provided to the federal government under CISPA would be exempt from the Freedom of Information Act (FOIA) and other state laws that could otherwise require disclosure (unless some law other than CISPA already requires its provision to the government)," he wrote. "CISPA’s authors argue that the bill contains limitations on how the federal government can use and disclose information by permitting lawsuits against the government. But if a company sends information about a user that is not cyberthreat information, the government agency does not notify the user, only the company."